An attack or a hack through which the attacker users social skills via human interaction to obtain or compromise information about an organization or its computer systems is known as a social engineering attacks. Your data is at risk everyday through social engineering attacks because hacking a human is much easier than hacking a business.
What motivates social engineers?
- Obtaining personal information.
- Gaining unauthorized access.
- Circumventing established procedures.
- Because they can.
Personal Approach :- In personal approaches, the social engineering may directly ask for approach in general meeting or gathering and get personal or critical information directly or indirectly about you.
Telephone :- Request information usually through the imitation of a legitimate bank/company through system to get critical information such as bank/credit card data.
Online :- Internet connectivity enables attackers to approach individuals or employee an anonymous internet source and convince them to provide information through a believable user.
Ransomware a Nightmare for Businesses
Ransomware is an attack that installs covertly on a company’s computer, blocking or limiting user access and demanding a ransom payment to restore it. This is one of the fastest growing cyber threats and is expected to increase 400% every years.
The state of ransomware
- 25% of organizations had to cease business operations immediately because of ransomware.
- 81% of business have experienced a cyber attack.
- 66% have suffered a data breach
- 35% were victims of ransomware
- 72% of companies affected by ransomware that could not access data for at least 2 days following the attack.
- 32% that lost access to their data for
- $10-$50 million estimated monthly income for cyber criminals from ransomware
Ways to Stop Social Engineering Attack
- Walk through company and make sure employees are not leaving personal or sensitive information in plain view of passing people such as e-mail accounts, login information, passwords etc.
- Use dummy accounts to monitor networks, and also use the admin account as a dummy as well and monitor who attempts to access it and trap them in the act.
- Make a security policy that enforces that passwords must contain a certain combination of words,numbers and characters.
- Never allow an employee to leave their terminal or desk without first logging out of their respected machine or workstation
Tips for Avoiding a Social Engineering Attack
- Limit public information:- Limit the amount of personal information that you share online.
- Be a skeptical:- Always question requests for sensitive information.
- Trust but verify:- Don’t share information with people you don’t know unless you can verify their identity.
- Call them back:- Through the main switchboard if possible.
- No password over the phone:- Never share your password with anyone over the phone
Spot Fake E-mails and Stay Safe
In June 2015, famous company Ubiquiti networks Inc. willing wired $46.7 million to fake bank accounts in china. Why? Because the company CEO asked them to an email. Of course, the actual CEO never made any such request a group of hackers did.
- Contact information:- The email contains a generic salutation or lacks any contact information for the recipient to use if they have questions.
- Spelling and grammar errors:- The email contains clear spelling or grammatical errors or emails from legitimate companies are normally proof read extensively before sending.
- Requests personal information:- The email requests that you follow a link to log in, or request personal information such as a credit card pin number or password.
- High urgency or threats:- The email creates a high sense of urgency, or threatens consequences for inaction.
- Fake web links:- The sender’s displayed name and email address do not match the purported company the email represents, or the links send the recipient to other websites not associated with the purported company
Notes : 80% of attacks are phishing
Social engineering exploits the goodwill of unwitting victims. Here’s how….
- Website Spoofing:- Bogus websites masquerade as the real thing, tricking victims into sharing sensitive information.
- Phishing :- Emails impersonate legitimate businesses to acquire information. This websites will request information through forms ad offer downloads containing malware.
- Social Media Phishing :- In social media phishing is when attackers use social networking sites like Facebook, Twitter and Instagram instead of email to obtain your sensitive personal information or click on malicious links.
- Baiting :- In baiting, the attacker dangles something enticing to move his victim to action. Physical media sources loaded with malware infect computers and steal information.
- Impersonation :- Scammer impersonates a trusted sources online or in person to obtain valuable information
- Poser :- Attackers poses as a vendor, client or employee and sends email from what links like a reputable source.
How to Spot a Phishing
Phishing is a technique used to fraudulently obtain usernames, passwords, credit card numbers and other sensitive information.
Fraudulent emails typically ask you to:
- Open an attachment
- Click on link, redirecting you to a malicious website.
- You may be prompted to enter personal information.
Types of Phishing Attacks
- Spear Phishing: A highly targeted form of phishing that hones in on a specific group of individuals or organization.
- Whaling: A form of phishing, targeted at executive level individuals.
- Cloning: Whereby a legitimate email is duplicated but, the content is replaced with malicious links or attachments.